Israel arrests two teens for $600,000 cybercrime operation

Israeli law enforcement has arrested Yarden Bidani and Itay Huri as part of an FBI investigation into their alleged control of vDOS, one of the most popular paid attack platforms. The two 18-year-old teens raked in at least $618,000 running a massive cybercrime operation in recent years. The platform itself is also offline, although that’s due to one of vDOS’ victims (BackConnect Security). vDOS is a web service that helps customers carry out so-called distributed denial-of-service attacks (DDoS) for the purpose of knocking websites offline. Such DDoS attacks work by flooding the targeted website from multiple computers until it crashes. It’s as if millions of callers tried to dial the same phone number simultaneously.

The duo were arrested on September 08, around the same time when U.S. cybercrime investigator Brian Krebs, a former Washington Post staffer and among the best-known writers on data security in the world published a story on KrebsOnSecurity naming them as the masterminds behind a service that can be hired to knock Web sites and Internet users offline with powerful blasts of junk data.

Bidani and Huri did not cover their tracks carefully. The pair hosted vDOS on a server connected to Huri, and its email and SMS notifications pointed to the two. They even wrote a technical paper on DDoS attacks, while Bidani’s old Facebook page references the AppleJ4ck pseudonym he used to conduct vDOS business. And if that weren’t enough, vDOS refused to target any Israeli site since it was the owner’s “home country.”

The two men’s identities were exposed because vDOS got massively hacked, spilling secrets about tens of thousands of paying customers and their targets. A copy of that database was obtained by KrebsOnSecurity.

Both suspects were questioned and released on bail on September 09 on the equivalent of about USD $10,000 bond each with some conditions. Officials have placed them under house arrest for 10 days, seized their passports and barred them from using any internet or telecom devices for 30 days. It’s unclear if they face extradition to the US.

The bust isn’t going to stop paid denial of service attacks. However, it may put a temporary dent in the volume of those attacks — and it’ll certainly spook vDOS competitors who’ve been careless about hiding their activities.